Is systemd-resolved useful?

This article is meant to dispel an internet myth that says systemd-resolved is pointless and isn’t doing you any good. systemd-resolved is almost guaranteed to be useful for any Linux device that accesses the internet and can optionally be configured to boost your privacy and security.

First things first:

How to tell if your system is using systemd-resolved?

Ubuntu 16.04 and later as well as any derivative Linux distributions use systemd-resolved by default. If you’re not sure whether you’re actually using systemd-resolved or not then we can quickly establish that by running the following command:

systemctl -n0 status systemd-resolved && \
head -n1 /etc/resolv.conf

The command should return: “# This file is managed by man:systemd-resolved(8). Do not edit.” This means that your system is indeed using systemd-resolved.

If you really do want to edit this file, then the configuration example in the bottom of this article will show you how to set the DNS server to something else. You can also read How to take back control of /etc/resolv.conf if you want to configure this file manually.

Improving DNS responsiveness with caching

systemd-resolved caches DNS query responses by default. This means that it can quickly respond to repeated queries for the same domains even when they come from different programs on your system. But is this actually useful to you on your system?

Before performing the next step, either let your system do its thing for a little while or otherwise use the system as normal for some minutes. Afterwards, you can run the following command to determine whether systemd-resolved’s DNS cache is doing you any good:

resolvectl statistics

This will return some statistics that should help prove systemd-resolved’s worth. The cache can store up to 4096 DNS responses for up to 2 hours, so don’t expect to see a massive number listed as the current cache size. You need not be afraid that the cache will bog down your system memory either. A quick calculation shows that the DNS cache can’t grow to more than 420 kB when used to its fullest.

Advertisement

What is more interesting is the next two numbers: cache hits and cache misses. The last number is the number of DNS queries that had to be forwarded to an external recursive DNS server, whereas the first number is the number of queries that was resolved immediately without the need to reach out to an external server. Every cache hit is an instance where systemd-resolved made your system just a little faster.

Enhancing DNS privacy and security

DNS queries and responses have traditionally been unencrypted, but more and more resolvers now support DNS over an encrypted TLS connection (DNS over TLS). TLS can help ensure that no parties between the DNS server and the resolver can see or modify the DNS responses. This means that someone on the same public network at a café can’t see what you’re doing through your DNS request, and also means that your internet service provider nor your local government can see into your traffic either.

systemd-resolved only supports opportunistic DNS over an encrypted channel. Opportunistic here means that it will reach out and connect over TLS when available, but it won’t verify that it‘s connecting to the correct server; make it susceptible to the man-in-the-middle interception as described in Actually secure DNS over TLS in Unbound. Attempting to use encryption is still a step up from no encryption at all, however!

You can enable this options (make sure you use a DNS provider that support DNS over TLS and DNSSEC) by adding the following options to the /etc/systemd/resolved.conf file:

You must restart the systemd-resolved service (the command is systemctl restart systemd-resolved.service) for these options to take effect. You can learn more details about the available configuration options in the resolved.conf manual.

The statistics command, shown above, also output some statistics over the effects of DNSSEC enforcement. DNSSEC helps prevent a potential attacker from modifying your DNS responses, but systemd-resolved doesn’t enforce this by default. The intricacies of DNSSEC is out of scope for this article, however.

When you need strong security and privacy, then you’ll need to setup a more capable DNS resolver than systemd-resolved such as Knot Resolver or Unbound. These more fully features resolvers also support caching more DNS query responses and for much longer than systemd-resolved.